from the caught-with-their-hands-in-the-cookie-jar dept.
A popular Firefox add-on is secretly logging users' browsing history, according to reports from the author of the uBlock Origin ad blocker and Mike Kuketz, a German privacy and security blogger. The add-on in question is named Web Security and is currently installed by 222,746 Firefox users, according to the official Mozilla Add-ons Portal. The add-on's description claims Web Security "actively protects you from malware, tampered websites or phishing sites that aim to steal your personal data."
Its high install count and positive reviews got the add-on on a list of recommended security and privacy add-ons on the official Firefox blog last week.
But this boost of attention from the Mozilla team didn't go down as intended. Hours after Mozilla's blog post, Raymond Hill, the author of the uBlock Origin ad blocker pointed out on Reddit that the add-on exhibited a weird behavior.
"With this extension, I see that for every page you load in your browser, there is a POST to http://136.243.163.73 Hill said. "The posted data is garbled, maybe someone will have the time to investigate further."
Hill's warning went under the radar for a few days until yesterday, when Kuketz, a popular German blogger, posted an article about the same behavior. Hours later, a user on Kuketz's forum managed to decode the "garbled" data, revealing that the add-on was secretly sending the URL of visited pages to a German server. Under normal circumstances, a Firefox add-on that needs to scan for threats might be entitled to check the URLs it scans on a remote server, but according to a format of the data the add-on was sending to the remote server, Web Security appears to be logging more than the current URL.
The data shows the plugin tracking individual users by an ID, along with their browsing pattern, logging how users went from an "oldUrl" to a "newUrl." This logging pattern is a bit excessive and against Mozilla's Addon Portal guidelines that prohibit add-ons from logging users' browsing history.
Source: Firefox Add-On With 220,000+ Installs Caught Collecting Users' Browsing History
(Score: 5, Insightful) by RandomFactor on Friday August 17 2018, @12:47AM (3 children)
Some code from testing was inadvertently left in our product and not removed during the build process as it should have been.
Rest assured that this was unintentional. The data has not been retained or shared and an update will be forthcoming which removes the test code.
Again our apologies to our users and the community for this unintended behavior.
(I want cookies if I'm close)
В «Правде» нет известий, в «Известиях» нет правды
(Score: -1, Spam) by Ethanol-fueled on Friday August 17 2018, @02:20AM (2 children)
Suck my Dick, Fifth-Columnist infintrators!
https://www.youtube.com/watch?v=bEea624OBzM [youtube.com]
Ha ha ha Heeeeeee Heeee Hoooo!
(Score: -1, Flamebait) by Ethanol-fueled on Friday August 17 2018, @02:29AM
You had to have the White Hot Spot-Light, you had to be a Big-Shot Last Night! HaHaHA!
(Score: 0) by Anonymous Coward on Friday August 17 2018, @02:38AM
Can't believe it but we think you're getting stupider every day. With luck it will be fatal.
(Score: 4, Insightful) by bob_super on Friday August 17 2018, @01:06AM (1 child)
Computer program unnecessarily uploads user behavior to cloud, in 2018!
News at 11.
(Score: 0) by Anonymous Coward on Friday August 17 2018, @03:40AM
A am glad that someone looks into these things and found this. Otherwise, how can the average Joe ever know? Many eyes make for shallow bugs.
(Score: 2) by RS3 on Friday August 17 2018, @01:13AM (6 children)
I bet someone here has command and control over a nice botnet that can ddos 136.243.163.73
(Score: 2) by MichaelDavidCrawford on Friday August 17 2018, @01:48AM (5 children)
Not do to "ping -f" that would get your IP banned, maybe kicked off your ISP.
Just the regular ping would suffice if enough of us were to participate.
Be sure to set up a script for it either with cron or in /etc/rc.d
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Funny) by RS3 on Friday August 17 2018, @05:03AM (4 children)
So I shouldn't let this run overnight?
Okay, how about this:
I'll just let that run... See, we just need a botnet on gigabit- that should keep him busy. He's in Germany- best if some locals run it.
(Score: 2) by coolgopher on Friday August 17 2018, @07:56AM (3 children)
/dev/random will quickly exhaust your entropy pool, and block. Not so with /dev/urandom or /dev/zero.
Note that most web servers are configured with upload limits, and when hit you'll get an error response like:
so your enjoyment is rather brief. Unless you used the command in a loop, I mean.
(Score: 2) by RS3 on Friday August 17 2018, @01:03PM (2 children)
Thank you for your attention to detail. It was supposed to be a somewhat sarcastic humorous proof-of-concept, but I realize veiled humor often gets missed. I should have used pseudo-code and let you work out the details in your favorite programming language. We'll need you to work even more overtime hours for the next few weeks- we have several more "special" projects.
Seriously, there is no way I would run that- for many reasons. I don't need trouble, nor an ISP blocking me. I don't stoop to evil just to fight evil. But thank you again, and your information temps me to run it occasionally. And yes, it would be run in a pseudo-random loop. And no, there is no way I will do it.
(Score: 2) by MichaelDavidCrawford on Saturday August 18 2018, @09:13AM (1 child)
I never released the source because I could never get it to work well enough to rip and entire pr0nsite. Always wget would die after a few hours. It's not smart enough to clue in to the fact that previously-downloaded HTML files don't need to re-download so it would always start again from the very beginning.
You can configure wget to have a custom User-Agent. You can configure the number of retries from failed GETs, the timeouts for receiving the entire documents, the delays between successive GETs and so on.
The delays and timeouts can usually be configured to vary randomly but with a specified average time value.
There are all manner of ways to prevent the website your
attacking mirroring from realizing you're actually a bot.For extra credit you can configure your .wgetrc to _ignore_ robots.txt!
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Funny) by Anonymous Coward on Saturday August 18 2018, @02:17PM
and closing that strike...
(Score: 1, Offtopic) by MichaelDavidCrawford on Friday August 17 2018, @01:53AM (4 children)
-ted to register.
A while back I was toying around not with "domaining" as cybersquatters so generously refer to themselves, but looking for unregistered domains that at one time had lots of organic links.
My plan was to keep all those domains _forever_, and to redirect all their former URLs to pages on my own sites.
I found one that was obviously valuable so I decided to register it, but didn't actually try until a few hours later. By that time some manner of really, really big domainer had snatched it out from under me.
I blamed the PageRank/Alexa add-on I was using and so removed it. I contemplated taking some further action but at the time I just didn't have the headspace to deal with it.
It happens that a certain once-popular domain has been available for at least five years. Sucks to be a Dot-Com Startup! I'll go register it after I sing on the street [warplife.com] for three hours or so.
Twice now I've gotten tipped $20 bills!
Good Times.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Interesting) by Anonymous Coward on Friday August 17 2018, @04:31AM (3 children)
It can depend on how you checked them. Did you do whois through ICANN or another place? Did you just browser to random domain names to see if it resolved? Also, this is a fun way to mess with registrars: I hate godaddy, so for fun, I've searched for the same unregistered domain names there. You can guess who ends up registering and parking the domain name after a few attempts.
(Score: 2) by MichaelDavidCrawford on Friday August 17 2018, @04:51AM
So there is some possibility that the fault was an inconsistent whois cache.
As I proceeded further into this project, I stumbled across the advice that the only truly reliable way to determine if a domain is available is to register it.
At the time I didn't have the Samoleons to do that, but if I ever take this up again that's what I'll do.
Yes I Have No Bananas. [gofundme.com]
(Score: 1) by nitehawk214 on Friday August 17 2018, @03:34PM (1 child)
I think registrars are allowed to do "domain name sampling" where they can register it for free for a limited time. But usually just long enough to force the person who really wants it to pay through the nose.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 1, Interesting) by Anonymous Coward on Friday August 17 2018, @06:31PM
Yeah, but they can only sample domains a certain number of times in a year, for certain maximum periods, and they have to announce it. So you have to spread it out to avoid those limits.
(Score: 2) by AthanasiusKircher on Friday August 17 2018, @02:49PM
Why should we be surprised? Organizations like the TSA have redefined the word "security" in Orwellian fashion to mean tracking you, spying on where you go, and intimidating you if you don't acquiesce.
That seems to be what "security" now means. I expect an update to this plug-in will enable surreptitious webcam shots of you, uploading the naked ones to "screeners" just to ensure your "safety" while browsing.